[ceph.git] / ceph / src / test / libcephfs / access.cc

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab
/*
 * Ceph - scalable distributed file system
 *
 * Copyright (C) 2011 New Dream Network
 *
 * This is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License version 2.1, as published by the Free Software
 * Foundation.  See file COPYING.
 *
 */

#include "gtest/gtest.h"
#include "common/ceph_argparse.h"
#include "include/buffer.h"
#include "include/stringify.h"
#include "include/cephfs/libcephfs.h"
#include "include/fs_types.h"
#include "include/rados/librados.h"
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <dirent.h>
#include <sys/uio.h>
#include <iostream>
#include <vector>
#include "json_spirit/json_spirit.h"

#include "include/fs_types.h"

#ifdef __linux__
#include <limits.h>
#include <sys/xattr.h>
#endif

using namespace std;

rados_t cluster;

string key;

int do_mon_command(string s, string *key)
{
  char *outs, *outbuf;
  size_t outs_len, outbuf_len;
  const char *ss = s.c_str();
  int r = rados_mon_command(cluster, (const char **)&ss, 1,
			    0, 0,
			    &outbuf, &outbuf_len,
			    &outs, &outs_len);
  if (outbuf_len) {
    string s(outbuf, outbuf_len);
    std::cout << "out: " << s << std::endl;

    // parse out the key
    json_spirit::mValue v, k;
    json_spirit::read_or_throw(s, v);
    k = v.get_array()[0].get_obj().find("key")->second;
    *key = k.get_str();
    std::cout << "key: " << *key << std::endl;
    free(outbuf);
  } else {
    return -CEPHFS_EINVAL;
  }
  if (outs_len) {
    string s(outs, outs_len);
    std::cout << "outs: " << s << std::endl;
    free(outs);
  }
  return r;
}

string get_unique_dir()
{
  return string("/ceph_test_libcephfs_access.") + stringify(rand());
}

TEST(AccessTest, Foo) {
  string dir = get_unique_dir();
  string user = "libcephfs_foo_test." + stringify(rand());
  // admin mount to set up test
  struct ceph_mount_info *admin;
  ASSERT_EQ(0, ceph_create(&admin, NULL));
  ASSERT_EQ(0, ceph_conf_read_file(admin, NULL));
  ASSERT_EQ(0, ceph_conf_parse_env(admin, NULL));
  ASSERT_EQ(0, ceph_mount(admin, "/"));
  ASSERT_EQ(0, ceph_mkdir(admin, dir.c_str(), 0755));

  // create access key
  string key;
  ASSERT_EQ(0, do_mon_command(
      "{\"prefix\": \"auth get-or-create\", \"entity\": \"client." + user + "\", "
      "\"caps\": [\"mon\", \"allow *\", \"osd\", \"allow rw\", "
      "\"mds\", \"allow rw\""
      "], \"format\": \"json\"}", &key));

  struct ceph_mount_info *cmount;
  ASSERT_EQ(0, ceph_create(&cmount, user.c_str()));
  ASSERT_EQ(0, ceph_conf_read_file(cmount, NULL));
  ASSERT_EQ(0, ceph_conf_parse_env(cmount, NULL));
  ASSERT_EQ(0, ceph_conf_set(cmount, "key", key.c_str()));
  ASSERT_EQ(0, ceph_mount(cmount, "/"));

  ceph_shutdown(cmount);

  // clean up
  ASSERT_EQ(0, ceph_rmdir(admin, dir.c_str()));
  ceph_shutdown(admin);
}

TEST(AccessTest, Path) {
  string good = get_unique_dir();
  string bad = get_unique_dir();
  string user = "libcephfs_path_test." + stringify(rand());
  struct ceph_mount_info *admin;
  ASSERT_EQ(0, ceph_create(&admin, NULL));
  ASSERT_EQ(0, ceph_conf_read_file(admin, NULL));
  ASSERT_EQ(0, ceph_conf_parse_env(admin, NULL));
  ASSERT_EQ(0, ceph_mount(admin, "/"));
  ASSERT_EQ(0, ceph_mkdir(admin, good.c_str(), 0755));
  ASSERT_EQ(0, ceph_mkdir(admin, string(good + "/p").c_str(), 0755));
  ASSERT_EQ(0, ceph_mkdir(admin, bad.c_str(), 0755));
  ASSERT_EQ(0, ceph_mkdir(admin, string(bad + "/p").c_str(), 0755));
  int fd = ceph_open(admin, string(good + "/q").c_str(), O_CREAT|O_WRONLY, 0755);
  ceph_close(admin, fd);
  fd = ceph_open(admin, string(bad + "/q").c_str(), O_CREAT|O_WRONLY, 0755);
  ceph_close(admin, fd);
  fd = ceph_open(admin, string(bad + "/z").c_str(), O_CREAT|O_WRONLY, 0755);
  ceph_write(admin, fd, "TEST FAILED", 11, 0);
  ceph_close(admin, fd);

  string key;
  ASSERT_EQ(0, do_mon_command(
      "{\"prefix\": \"auth get-or-create\", \"entity\": \"client." + user + "\", "
      "\"caps\": [\"mon\", \"allow r\", \"osd\", \"allow rwx\", "
      "\"mds\", \"allow r, allow rw path=" + good + "\""
      "], \"format\": \"json\"}", &key));

  struct ceph_mount_info *cmount;
  ASSERT_EQ(0, ceph_create(&cmount, user.c_str()));
  ASSERT_EQ(0, ceph_conf_read_file(cmount, NULL));
  ASSERT_EQ(0, ceph_conf_parse_env(cmount, NULL));
  ASSERT_EQ(0, ceph_conf_set(cmount, "key", key.c_str()));
  ASSERT_EQ(0, ceph_mount(cmount, "/"));

  // allowed
  ASSERT_GE(ceph_mkdir(cmount, string(good + "/x").c_str(), 0755), 0);
  ASSERT_GE(ceph_rmdir(cmount, string(good + "/p").c_str()), 0);
  ASSERT_GE(ceph_unlink(cmount, string(good + "/q").c_str()), 0);
  fd = ceph_open(cmount, string(good + "/y").c_str(), O_CREAT|O_WRONLY, 0755);
  ASSERT_GE(fd, 0);
  ceph_write(cmount, fd, "bar", 3, 0);
  ceph_close(cmount, fd);
  ASSERT_GE(ceph_unlink(cmount, string(good + "/y").c_str()), 0);
  ASSERT_GE(ceph_rmdir(cmount, string(good + "/x").c_str()), 0);

  fd = ceph_open(cmount, string(bad + "/z").c_str(), O_RDONLY, 0644);
  ASSERT_GE(fd, 0);
  ceph_close(cmount, fd);

  // not allowed
  ASSERT_LT(ceph_mkdir(cmount, string(bad + "/x").c_str(), 0755), 0);
  ASSERT_LT(ceph_rmdir(cmount, string(bad + "/p").c_str()), 0);
  ASSERT_LT(ceph_unlink(cmount, string(bad + "/q").c_str()), 0);
  fd = ceph_open(cmount, string(bad + "/y").c_str(), O_CREAT|O_WRONLY, 0755);
  ASSERT_LT(fd, 0);

  // unlink open file
  fd = ceph_open(cmount, string(good + "/unlinkme").c_str(), O_CREAT|O_WRONLY, 0755);
  ceph_unlink(cmount, string(good + "/unlinkme").c_str());
  ASSERT_GE(ceph_write(cmount, fd, "foo", 3, 0), 0);
  ASSERT_GE(ceph_fchmod(cmount, fd, 0777), 0);
  ASSERT_GE(ceph_ftruncate(cmount, fd, 0), 0);
  ASSERT_GE(ceph_fsetxattr(cmount, fd, "user.any", "bar", 3, 0), 0);
  ceph_close(cmount, fd);

  // rename open file
  fd = ceph_open(cmount, string(good + "/renameme").c_str(), O_CREAT|O_WRONLY, 0755);
  ASSERT_EQ(ceph_rename(admin, string(good + "/renameme").c_str(),
			string(bad + "/asdf").c_str()), 0);
  ASSERT_GE(ceph_write(cmount, fd, "foo", 3, 0), 0);
  ASSERT_GE(ceph_fchmod(cmount, fd, 0777), -CEPHFS_EACCES);
  ASSERT_GE(ceph_ftruncate(cmount, fd, 0), -CEPHFS_EACCES);
  ASSERT_GE(ceph_fsetxattr(cmount, fd, "user.any", "bar", 3, 0), -CEPHFS_EACCES);
  ceph_close(cmount, fd);

  ceph_shutdown(cmount);
  ASSERT_EQ(0, ceph_unlink(admin, string(bad + "/q").c_str()));
  ASSERT_EQ(0, ceph_unlink(admin, string(bad + "/z").c_str()));
  ASSERT_EQ(0, ceph_rmdir(admin, string(bad + "/p").c_str()));
  ASSERT_EQ(0, ceph_unlink(admin, string(bad + "/asdf").c_str()));
  ASSERT_EQ(0, ceph_rmdir(admin, good.c_str()));
  ASSERT_EQ(0, ceph_rmdir(admin, bad.c_str()));
  ceph_shutdown(admin);
}

TEST(AccessTest, ReadOnly) {
  string dir = get_unique_dir();
  string dir2 = get_unique_dir();
  string user = "libcephfs_readonly_test." + stringify(rand());
  struct ceph_mount_info *admin;
  ASSERT_EQ(0, ceph_create(&admin, NULL));
  ASSERT_EQ(0, ceph_conf_read_file(admin, NULL));
  ASSERT_EQ(0, ceph_conf_parse_env(admin, NULL));
  ASSERT_EQ(0, ceph_mount(admin, "/"));
  ASSERT_EQ(0, ceph_mkdir(admin, dir.c_str(), 0755));
  int fd = ceph_open(admin, string(dir + "/out").c_str(), O_CREAT|O_WRONLY, 0755);
  ceph_write(admin, fd, "foo", 3, 0);
  ceph_close(admin,fd);

  string key;
  ASSERT_EQ(0, do_mon_command(
      "{\"prefix\": \"auth get-or-create\", \"entity\": \"client." + user + "\", "
      "\"caps\": [\"mon\", \"allow r\", \"osd\", \"allow rw\", "
      "\"mds\", \"allow r\""
      "], \"format\": \"json\"}", &key));

  struct ceph_mount_info *cmount;
  ASSERT_EQ(0, ceph_create(&cmount, user.c_str()));
  ASSERT_EQ(0, ceph_conf_read_file(cmount, NULL));
  ASSERT_EQ(0, ceph_conf_parse_env(cmount, NULL));
  ASSERT_EQ(0, ceph_conf_set(cmount, "key", key.c_str()));
  ASSERT_EQ(0, ceph_mount(cmount, "/"));

  // allowed
  fd = ceph_open(cmount, string(dir + "/out").c_str(), O_RDONLY, 0644);
  ASSERT_GE(fd, 0);
  ceph_close(cmount,fd);

  // not allowed
  fd = ceph_open(cmount, string(dir + "/bar").c_str(), O_CREAT|O_WRONLY, 0755);
  ASSERT_LT(fd, 0);
  ASSERT_LT(ceph_mkdir(cmount, dir2.c_str(), 0755), 0);

  ceph_shutdown(cmount);
  ASSERT_EQ(0, ceph_unlink(admin, string(dir + "/out").c_str()));
  ASSERT_EQ(0, ceph_rmdir(admin, dir.c_str()));
  ceph_shutdown(admin);
}

TEST(AccessTest, User) {
  string dir = get_unique_dir();
  string user = "libcephfs_user_test." + stringify(rand());

  // admin mount to set up test
  struct ceph_mount_info *admin;
  ASSERT_EQ(0, ceph_create(&admin, NULL));
  ASSERT_EQ(0, ceph_conf_read_file(admin, NULL));
  ASSERT_EQ(0, ceph_conf_parse_env(admin, NULL));
  ASSERT_EQ(0, ceph_conf_set(admin, "client_permissions", "0"));
  ASSERT_EQ(0, ceph_mount(admin, "/"));
  ASSERT_EQ(0, ceph_mkdir(admin, dir.c_str(), 0755));

  // create access key
  string key;
  ASSERT_EQ(0, do_mon_command(
      "{\"prefix\": \"auth get-or-create\", \"entity\": \"client." + user + "\", "
      "\"caps\": [\"mon\", \"allow *\", \"osd\", \"allow rw\", "
      "\"mds\", \"allow rw uid=123 gids=456,789\""
      "], \"format\": \"json\"}", &key));

  struct ceph_mount_info *cmount;
  ASSERT_EQ(0, ceph_create(&cmount, user.c_str()));
  ASSERT_EQ(0, ceph_conf_read_file(cmount, NULL));
  ASSERT_EQ(0, ceph_conf_parse_env(cmount, NULL));
  ASSERT_EQ(0, ceph_conf_set(cmount, "key", key.c_str()));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_mount(cmount, "/"));
  ASSERT_EQ(0, ceph_init(cmount));

  UserPerm *perms = ceph_userperm_new(123, 456, 0, NULL);
  ASSERT_NE(nullptr, perms);
  ASSERT_EQ(0, ceph_mount_perms_set(cmount, perms));
  ceph_userperm_destroy(perms);

  ASSERT_EQ(0, ceph_conf_set(cmount, "client_permissions", "0"));
  ASSERT_EQ(0, ceph_mount(cmount, "/"));

  // user bits
  ASSERT_EQ(0, ceph_chmod(admin, dir.c_str(), 0700));
  ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 123, 456));
  ASSERT_EQ(0, ceph_mkdir(cmount, string(dir + "/u1").c_str(), 0755));
  ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 1, 456));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_mkdir(cmount, string(dir + "/no").c_str(), 0755));

  // group bits
  ASSERT_EQ(0, ceph_chmod(admin, dir.c_str(), 0770));
  ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 1, 456));
  ASSERT_EQ(0, ceph_mkdir(cmount, string(dir + "/u2").c_str(), 0755));
  ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 1, 2));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_mkdir(cmount, string(dir + "/no").c_str(), 0755));

  // user overrides group
  ASSERT_EQ(0, ceph_chmod(admin, dir.c_str(), 0470));
  ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 123, 456));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_mkdir(cmount, string(dir + "/no").c_str(), 0755));

  // other
  ASSERT_EQ(0, ceph_chmod(admin, dir.c_str(), 0777));
  ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 1, 1));
  ASSERT_EQ(0, ceph_mkdir(cmount, string(dir + "/u3").c_str(), 0755));
  ASSERT_EQ(0, ceph_chmod(admin, dir.c_str(), 0770));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_mkdir(cmount, string(dir + "/no").c_str(), 0755));

  // user and group overrides other
  ASSERT_EQ(0, ceph_chmod(admin, dir.c_str(), 07));
  ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 1, 456));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_mkdir(cmount, string(dir + "/no").c_str(), 0755));
  ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 123, 1));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_mkdir(cmount, string(dir + "/no").c_str(), 0755));
  ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 123, 456));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_mkdir(cmount, string(dir + "/no").c_str(), 0755));

  // chown and chgrp
  ASSERT_EQ(0, ceph_chmod(admin, dir.c_str(), 0700));
  ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 123, 456));
  // FIXME: Re-enable these 789 tests once we can set multiple GIDs via libcephfs/config
  // ASSERT_EQ(0, ceph_chown(cmount, dir.c_str(), 123, 789));
  ASSERT_EQ(0, ceph_chown(cmount, dir.c_str(), 123, 456));
  // ASSERT_EQ(0, ceph_chown(cmount, dir.c_str(), -1, 789));
  ASSERT_EQ(0, ceph_chown(cmount, dir.c_str(), -1, 456));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), 123, 1));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), 1, 456));

  ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 1, 1));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), 123, 456));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), 123, -1));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), -1, 456));

  ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 1, 456));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), 123, 456));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), 123, -1));
  ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), -1, 456));

  ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 123, 1));
  ASSERT_EQ(0, ceph_chown(cmount, dir.c_str(), -1, 456));
  // ASSERT_EQ(0, ceph_chown(cmount, dir.c_str(), 123, 789));

  ceph_shutdown(cmount);

  // clean up
  ASSERT_EQ(0, ceph_rmdir(admin, string(dir + "/u1").c_str()));
  ASSERT_EQ(0, ceph_rmdir(admin, string(dir + "/u2").c_str()));
  ASSERT_EQ(0, ceph_rmdir(admin, string(dir + "/u3").c_str()));
  ASSERT_EQ(0, ceph_rmdir(admin, dir.c_str()));
  ceph_shutdown(admin);
}

static int update_root_mode()
{
  struct ceph_mount_info *admin;
  int r = ceph_create(&admin, NULL);
  if (r < 0)
    return r;
  ceph_conf_read_file(admin, NULL);
  ceph_conf_parse_env(admin, NULL);
  ceph_conf_set(admin, "client_permissions", "false");
  r = ceph_mount(admin, "/");
  if (r < 0)
    goto out;
  r = ceph_chmod(admin, "/", 0777);
out:
  ceph_shutdown(admin);
  return r;
}


int main(int argc, char **argv)
{
  int r = update_root_mode();
  if (r < 0)
    exit(1);

  ::testing::InitGoogleTest(&argc, argv);

  srand(getpid());

  r = rados_create(&cluster, NULL);
  if (r < 0)
    exit(1);
  
  r = rados_conf_read_file(cluster, NULL);
  if (r < 0)
    exit(1);

  rados_conf_parse_env(cluster, NULL);
  r = rados_connect(cluster);
  if (r < 0)
    exit(1);

  r = RUN_ALL_TESTS();

  rados_shutdown(cluster);

  return r;
}
Commit	Line	Data
7c673cae FG	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
	2	// vim: ts=8 sw=2 smarttab
	3	/*
	4	* Ceph - scalable distributed file system
	5	*
	6	* Copyright (C) 2011 New Dream Network
	7	*
	8	* This is free software; you can redistribute it and/or
	9	* modify it under the terms of the GNU Lesser General Public
	10	* License version 2.1, as published by the Free Software
	11	* Foundation. See file COPYING.
	12	*
	13	*/
	14
	15	#include "gtest/gtest.h"
	16	#include "common/ceph_argparse.h"
	17	#include "include/buffer.h"
	18	#include "include/stringify.h"
	19	#include "include/cephfs/libcephfs.h"
1e59de90	20	#include "include/fs_types.h"
7c673cae FG	21	#include "include/rados/librados.h"
	22	#include <errno.h>
	23	#include <fcntl.h>
	24	#include <unistd.h>
	25	#include <sys/types.h>
	26	#include <sys/stat.h>
	27	#include <dirent.h>
7c673cae FG	28	#include <sys/uio.h>
	29	#include <iostream>
	30	#include <vector>
	31	#include "json_spirit/json_spirit.h"
	32
1e59de90 TL	33	#include "include/fs_types.h"
1e59de90 TL	34
7c673cae FG	35	#ifdef __linux__
7c673cae FG	36	#include <limits.h>
eafe8130	37	#include <sys/xattr.h>
7c673cae FG	38	#endif
7c673cae FG	39
20effc67	40	using namespace std;
7c673cae FG	41
	42	rados_t cluster;
	43
	44	string key;
	45
	46	int do_mon_command(string s, string *key)
	47	{
	48	char outs, outbuf;
	49	size_t outs_len, outbuf_len;
	50	const char *ss = s.c_str();
	51	int r = rados_mon_command(cluster, (const char **)&ss, 1,
	52	0, 0,
	53	&outbuf, &outbuf_len,
	54	&outs, &outs_len);
	55	if (outbuf_len) {
	56	string s(outbuf, outbuf_len);
	57	std::cout << "out: " << s << std::endl;
	58
	59	// parse out the key
	60	json_spirit::mValue v, k;
	61	json_spirit::read_or_throw(s, v);
	62	k = v.get_array()[0].get_obj().find("key")->second;
	63	*key = k.get_str();
	64	std::cout << "key: " << *key << std::endl;
	65	free(outbuf);
	66	} else {
1e59de90	67	return -CEPHFS_EINVAL;
7c673cae FG	68	}
	69	if (outs_len) {
	70	string s(outs, outs_len);
	71	std::cout << "outs: " << s << std::endl;
	72	free(outs);
	73	}
	74	return r;
	75	}
	76
	77	string get_unique_dir()
	78	{
	79	return string("/ceph_test_libcephfs_access.") + stringify(rand());
	80	}
	81
	82	TEST(AccessTest, Foo) {
	83	string dir = get_unique_dir();
	84	string user = "libcephfs_foo_test." + stringify(rand());
	85	// admin mount to set up test
	86	struct ceph_mount_info *admin;
	87	ASSERT_EQ(0, ceph_create(&admin, NULL));
	88	ASSERT_EQ(0, ceph_conf_read_file(admin, NULL));
	89	ASSERT_EQ(0, ceph_conf_parse_env(admin, NULL));
	90	ASSERT_EQ(0, ceph_mount(admin, "/"));
	91	ASSERT_EQ(0, ceph_mkdir(admin, dir.c_str(), 0755));
	92
	93	// create access key
	94	string key;
	95	ASSERT_EQ(0, do_mon_command(
	96	"{\"prefix\": \"auth get-or-create\", \"entity\": \"client." + user + "\", "
	97	"\"caps\": [\"mon\", \"allow *\", \"osd\", \"allow rw\", "
	98	"\"mds\", \"allow rw\""
	99	"], \"format\": \"json\"}", &key));
	100
	101	struct ceph_mount_info *cmount;
	102	ASSERT_EQ(0, ceph_create(&cmount, user.c_str()));
	103	ASSERT_EQ(0, ceph_conf_read_file(cmount, NULL));
	104	ASSERT_EQ(0, ceph_conf_parse_env(cmount, NULL));
	105	ASSERT_EQ(0, ceph_conf_set(cmount, "key", key.c_str()));
	106	ASSERT_EQ(0, ceph_mount(cmount, "/"));
	107
	108	ceph_shutdown(cmount);
	109
	110	// clean up
	111	ASSERT_EQ(0, ceph_rmdir(admin, dir.c_str()));
	112	ceph_shutdown(admin);
	113	}
	114
	115	TEST(AccessTest, Path) {
	116	string good = get_unique_dir();
	117	string bad = get_unique_dir();
	118	string user = "libcephfs_path_test." + stringify(rand());
	119	struct ceph_mount_info *admin;
	120	ASSERT_EQ(0, ceph_create(&admin, NULL));
	121	ASSERT_EQ(0, ceph_conf_read_file(admin, NULL));
	122	ASSERT_EQ(0, ceph_conf_parse_env(admin, NULL));
	123	ASSERT_EQ(0, ceph_mount(admin, "/"));
	124	ASSERT_EQ(0, ceph_mkdir(admin, good.c_str(), 0755));
	125	ASSERT_EQ(0, ceph_mkdir(admin, string(good + "/p").c_str(), 0755));
	126	ASSERT_EQ(0, ceph_mkdir(admin, bad.c_str(), 0755));
	127	ASSERT_EQ(0, ceph_mkdir(admin, string(bad + "/p").c_str(), 0755));
	128	int fd = ceph_open(admin, string(good + "/q").c_str(), O_CREAT\|O_WRONLY, 0755);
	129	ceph_close(admin, fd);
	130	fd = ceph_open(admin, string(bad + "/q").c_str(), O_CREAT\|O_WRONLY, 0755);
	131	ceph_close(admin, fd);
132	fd = ceph_open(admin, string(bad + "/z").c_str(), O_CREAT\|O_WRONLY, 0755);
133	ceph_write(admin, fd, "TEST FAILED", 11, 0);
134	ceph_close(admin, fd);
135
136	string key;
137	ASSERT_EQ(0, do_mon_command(
138	"{\"prefix\": \"auth get-or-create\", \"entity\": \"client." + user + "\", "
139	"\"caps\": [\"mon\", \"allow r\", \"osd\", \"allow rwx\", "
140	"\"mds\", \"allow r, allow rw path=" + good + "\""
141	"], \"format\": \"json\"}", &key));
142
143	struct ceph_mount_info *cmount;
144	ASSERT_EQ(0, ceph_create(&cmount, user.c_str()));
145	ASSERT_EQ(0, ceph_conf_read_file(cmount, NULL));
146	ASSERT_EQ(0, ceph_conf_parse_env(cmount, NULL));
147	ASSERT_EQ(0, ceph_conf_set(cmount, "key", key.c_str()));
148	ASSERT_EQ(0, ceph_mount(cmount, "/"));
149
150	// allowed
151	ASSERT_GE(ceph_mkdir(cmount, string(good + "/x").c_str(), 0755), 0);
152	ASSERT_GE(ceph_rmdir(cmount, string(good + "/p").c_str()), 0);
153	ASSERT_GE(ceph_unlink(cmount, string(good + "/q").c_str()), 0);
154	fd = ceph_open(cmount, string(good + "/y").c_str(), O_CREAT\|O_WRONLY, 0755);
155	ASSERT_GE(fd, 0);
156	ceph_write(cmount, fd, "bar", 3, 0);
157	ceph_close(cmount, fd);
158	ASSERT_GE(ceph_unlink(cmount, string(good + "/y").c_str()), 0);
159	ASSERT_GE(ceph_rmdir(cmount, string(good + "/x").c_str()), 0);
160
161	fd = ceph_open(cmount, string(bad + "/z").c_str(), O_RDONLY, 0644);
162	ASSERT_GE(fd, 0);
163	ceph_close(cmount, fd);
164
165	// not allowed
166	ASSERT_LT(ceph_mkdir(cmount, string(bad + "/x").c_str(), 0755), 0);
167	ASSERT_LT(ceph_rmdir(cmount, string(bad + "/p").c_str()), 0);
168	ASSERT_LT(ceph_unlink(cmount, string(bad + "/q").c_str()), 0);
169	fd = ceph_open(cmount, string(bad + "/y").c_str(), O_CREAT\|O_WRONLY, 0755);
170	ASSERT_LT(fd, 0);
171
172	// unlink open file
173	fd = ceph_open(cmount, string(good + "/unlinkme").c_str(), O_CREAT\|O_WRONLY, 0755);
174	ceph_unlink(cmount, string(good + "/unlinkme").c_str());
175	ASSERT_GE(ceph_write(cmount, fd, "foo", 3, 0), 0);
176	ASSERT_GE(ceph_fchmod(cmount, fd, 0777), 0);
177	ASSERT_GE(ceph_ftruncate(cmount, fd, 0), 0);
178	ASSERT_GE(ceph_fsetxattr(cmount, fd, "user.any", "bar", 3, 0), 0);
179	ceph_close(cmount, fd);
180
181	// rename open file
182	fd = ceph_open(cmount, string(good + "/renameme").c_str(), O_CREAT\|O_WRONLY, 0755);
183	ASSERT_EQ(ceph_rename(admin, string(good + "/renameme").c_str(),
184	string(bad + "/asdf").c_str()), 0);
185	ASSERT_GE(ceph_write(cmount, fd, "foo", 3, 0), 0);
1e59de90 TL	186	ASSERT_GE(ceph_fchmod(cmount, fd, 0777), -CEPHFS_EACCES);
	187	ASSERT_GE(ceph_ftruncate(cmount, fd, 0), -CEPHFS_EACCES);
	188	ASSERT_GE(ceph_fsetxattr(cmount, fd, "user.any", "bar", 3, 0), -CEPHFS_EACCES);
7c673cae FG	189	ceph_close(cmount, fd);
	190
	191	ceph_shutdown(cmount);
	192	ASSERT_EQ(0, ceph_unlink(admin, string(bad + "/q").c_str()));
	193	ASSERT_EQ(0, ceph_unlink(admin, string(bad + "/z").c_str()));
	194	ASSERT_EQ(0, ceph_rmdir(admin, string(bad + "/p").c_str()));
	195	ASSERT_EQ(0, ceph_unlink(admin, string(bad + "/asdf").c_str()));
	196	ASSERT_EQ(0, ceph_rmdir(admin, good.c_str()));
	197	ASSERT_EQ(0, ceph_rmdir(admin, bad.c_str()));
	198	ceph_shutdown(admin);
	199	}
	200
	201	TEST(AccessTest, ReadOnly) {
	202	string dir = get_unique_dir();
	203	string dir2 = get_unique_dir();
	204	string user = "libcephfs_readonly_test." + stringify(rand());
	205	struct ceph_mount_info *admin;
	206	ASSERT_EQ(0, ceph_create(&admin, NULL));
	207	ASSERT_EQ(0, ceph_conf_read_file(admin, NULL));
	208	ASSERT_EQ(0, ceph_conf_parse_env(admin, NULL));
	209	ASSERT_EQ(0, ceph_mount(admin, "/"));
	210	ASSERT_EQ(0, ceph_mkdir(admin, dir.c_str(), 0755));
	211	int fd = ceph_open(admin, string(dir + "/out").c_str(), O_CREAT\|O_WRONLY, 0755);
	212	ceph_write(admin, fd, "foo", 3, 0);
	213	ceph_close(admin,fd);
	214
	215	string key;
	216	ASSERT_EQ(0, do_mon_command(
	217	"{\"prefix\": \"auth get-or-create\", \"entity\": \"client." + user + "\", "
	218	"\"caps\": [\"mon\", \"allow r\", \"osd\", \"allow rw\", "
	219	"\"mds\", \"allow r\""
	220	"], \"format\": \"json\"}", &key));
	221
	222	struct ceph_mount_info *cmount;
	223	ASSERT_EQ(0, ceph_create(&cmount, user.c_str()));
	224	ASSERT_EQ(0, ceph_conf_read_file(cmount, NULL));
	225	ASSERT_EQ(0, ceph_conf_parse_env(cmount, NULL));
	226	ASSERT_EQ(0, ceph_conf_set(cmount, "key", key.c_str()));
	227	ASSERT_EQ(0, ceph_mount(cmount, "/"));
	228
	229	// allowed
	230	fd = ceph_open(cmount, string(dir + "/out").c_str(), O_RDONLY, 0644);
	231	ASSERT_GE(fd, 0);
	232	ceph_close(cmount,fd);
	233
	234	// not allowed
	235	fd = ceph_open(cmount, string(dir + "/bar").c_str(), O_CREAT\|O_WRONLY, 0755);
	236	ASSERT_LT(fd, 0);
	237	ASSERT_LT(ceph_mkdir(cmount, dir2.c_str(), 0755), 0);
	238
	239	ceph_shutdown(cmount);
	240	ASSERT_EQ(0, ceph_unlink(admin, string(dir + "/out").c_str()));
	241	ASSERT_EQ(0, ceph_rmdir(admin, dir.c_str()));
	242	ceph_shutdown(admin);
	243	}
	244
	245	TEST(AccessTest, User) {
	246	string dir = get_unique_dir();
	247	string user = "libcephfs_user_test." + stringify(rand());
	248
	249	// admin mount to set up test
	250	struct ceph_mount_info *admin;
	251	ASSERT_EQ(0, ceph_create(&admin, NULL));
	252	ASSERT_EQ(0, ceph_conf_read_file(admin, NULL));
253	ASSERT_EQ(0, ceph_conf_parse_env(admin, NULL));
254	ASSERT_EQ(0, ceph_conf_set(admin, "client_permissions", "0"));
255	ASSERT_EQ(0, ceph_mount(admin, "/"));
256	ASSERT_EQ(0, ceph_mkdir(admin, dir.c_str(), 0755));
257
258	// create access key
259	string key;
260	ASSERT_EQ(0, do_mon_command(
261	"{\"prefix\": \"auth get-or-create\", \"entity\": \"client." + user + "\", "
262	"\"caps\": [\"mon\", \"allow *\", \"osd\", \"allow rw\", "
263	"\"mds\", \"allow rw uid=123 gids=456,789\""
264	"], \"format\": \"json\"}", &key));
265
266	struct ceph_mount_info *cmount;
267	ASSERT_EQ(0, ceph_create(&cmount, user.c_str()));
268	ASSERT_EQ(0, ceph_conf_read_file(cmount, NULL));
269	ASSERT_EQ(0, ceph_conf_parse_env(cmount, NULL));
270	ASSERT_EQ(0, ceph_conf_set(cmount, "key", key.c_str()));
1e59de90	271	ASSERT_EQ(-CEPHFS_EACCES, ceph_mount(cmount, "/"));
11fdf7f2 TL	272	ASSERT_EQ(0, ceph_init(cmount));
	273
	274	UserPerm *perms = ceph_userperm_new(123, 456, 0, NULL);
	275	ASSERT_NE(nullptr, perms);
	276	ASSERT_EQ(0, ceph_mount_perms_set(cmount, perms));
	277	ceph_userperm_destroy(perms);
	278
7c673cae FG	279	ASSERT_EQ(0, ceph_conf_set(cmount, "client_permissions", "0"));
	280	ASSERT_EQ(0, ceph_mount(cmount, "/"));
	281
	282	// user bits
	283	ASSERT_EQ(0, ceph_chmod(admin, dir.c_str(), 0700));
	284	ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 123, 456));
	285	ASSERT_EQ(0, ceph_mkdir(cmount, string(dir + "/u1").c_str(), 0755));
	286	ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 1, 456));
1e59de90	287	ASSERT_EQ(-CEPHFS_EACCES, ceph_mkdir(cmount, string(dir + "/no").c_str(), 0755));
7c673cae FG	288
	289	// group bits
	290	ASSERT_EQ(0, ceph_chmod(admin, dir.c_str(), 0770));
	291	ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 1, 456));
	292	ASSERT_EQ(0, ceph_mkdir(cmount, string(dir + "/u2").c_str(), 0755));
	293	ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 1, 2));
1e59de90	294	ASSERT_EQ(-CEPHFS_EACCES, ceph_mkdir(cmount, string(dir + "/no").c_str(), 0755));
7c673cae FG	295
	296	// user overrides group
	297	ASSERT_EQ(0, ceph_chmod(admin, dir.c_str(), 0470));
	298	ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 123, 456));
1e59de90	299	ASSERT_EQ(-CEPHFS_EACCES, ceph_mkdir(cmount, string(dir + "/no").c_str(), 0755));
7c673cae FG	300
	301	// other
	302	ASSERT_EQ(0, ceph_chmod(admin, dir.c_str(), 0777));
	303	ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 1, 1));
	304	ASSERT_EQ(0, ceph_mkdir(cmount, string(dir + "/u3").c_str(), 0755));
	305	ASSERT_EQ(0, ceph_chmod(admin, dir.c_str(), 0770));
1e59de90	306	ASSERT_EQ(-CEPHFS_EACCES, ceph_mkdir(cmount, string(dir + "/no").c_str(), 0755));
7c673cae FG	307
	308	// user and group overrides other
	309	ASSERT_EQ(0, ceph_chmod(admin, dir.c_str(), 07));
	310	ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 1, 456));
1e59de90	311	ASSERT_EQ(-CEPHFS_EACCES, ceph_mkdir(cmount, string(dir + "/no").c_str(), 0755));
7c673cae	312	ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 123, 1));
1e59de90	313	ASSERT_EQ(-CEPHFS_EACCES, ceph_mkdir(cmount, string(dir + "/no").c_str(), 0755));
7c673cae	314	ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 123, 456));
1e59de90	315	ASSERT_EQ(-CEPHFS_EACCES, ceph_mkdir(cmount, string(dir + "/no").c_str(), 0755));
7c673cae FG	316
	317	// chown and chgrp
	318	ASSERT_EQ(0, ceph_chmod(admin, dir.c_str(), 0700));
	319	ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 123, 456));
	320	// FIXME: Re-enable these 789 tests once we can set multiple GIDs via libcephfs/config
	321	// ASSERT_EQ(0, ceph_chown(cmount, dir.c_str(), 123, 789));
	322	ASSERT_EQ(0, ceph_chown(cmount, dir.c_str(), 123, 456));
	323	// ASSERT_EQ(0, ceph_chown(cmount, dir.c_str(), -1, 789));
	324	ASSERT_EQ(0, ceph_chown(cmount, dir.c_str(), -1, 456));
1e59de90 TL	325	ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), 123, 1));
1e59de90 TL	326	ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), 1, 456));
7c673cae FG	327
7c673cae FG	328	ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 1, 1));
1e59de90 TL	329	ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), 123, 456));
	330	ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), 123, -1));
	331	ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), -1, 456));
7c673cae FG	332
7c673cae FG	333	ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 1, 456));
1e59de90 TL	334	ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), 123, 456));
	335	ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), 123, -1));
	336	ASSERT_EQ(-CEPHFS_EACCES, ceph_chown(cmount, dir.c_str(), -1, 456));
7c673cae FG	337
	338	ASSERT_EQ(0, ceph_chown(admin, dir.c_str(), 123, 1));
	339	ASSERT_EQ(0, ceph_chown(cmount, dir.c_str(), -1, 456));
	340	// ASSERT_EQ(0, ceph_chown(cmount, dir.c_str(), 123, 789));
	341
	342	ceph_shutdown(cmount);
	343
	344	// clean up
	345	ASSERT_EQ(0, ceph_rmdir(admin, string(dir + "/u1").c_str()));
	346	ASSERT_EQ(0, ceph_rmdir(admin, string(dir + "/u2").c_str()));
	347	ASSERT_EQ(0, ceph_rmdir(admin, string(dir + "/u3").c_str()));
	348	ASSERT_EQ(0, ceph_rmdir(admin, dir.c_str()));
	349	ceph_shutdown(admin);
	350	}
	351
	352	static int update_root_mode()
	353	{
	354	struct ceph_mount_info *admin;
	355	int r = ceph_create(&admin, NULL);
	356	if (r < 0)
	357	return r;
	358	ceph_conf_read_file(admin, NULL);
	359	ceph_conf_parse_env(admin, NULL);
	360	ceph_conf_set(admin, "client_permissions", "false");
	361	r = ceph_mount(admin, "/");
	362	if (r < 0)
	363	goto out;
	364	r = ceph_chmod(admin, "/", 0777);
	365	out:
	366	ceph_shutdown(admin);
	367	return r;
	368	}
	369
	370
	371	int main(int argc, char **argv)
	372	{
	373	int r = update_root_mode();
	374	if (r < 0)
	375	exit(1);
	376
	377	::testing::InitGoogleTest(&argc, argv);
	378
	379	srand(getpid());
	380
	381	r = rados_create(&cluster, NULL);
	382	if (r < 0)
	383	exit(1);
	384
	385	r = rados_conf_read_file(cluster, NULL);
	386	if (r < 0)
	387	exit(1);
	388
	389	rados_conf_parse_env(cluster, NULL);
	390	r = rados_connect(cluster);
	391	if (r < 0)
	392	exit(1);
	393
	394	r = RUN_ALL_TESTS();
	395
	396	rados_shutdown(cluster);
	397
	398	return r;
	399	}